ivr cti
Like intelligence, it provides valuable cyber threats — additional cyber threat information that reduces uncertainty and helps consumers identify threats and opportunities.
像情报一样,它提供有价值的网络威胁-额外的网络威胁信息,可减少不确定性并帮助消费者识别威胁和机会。
Hackers are working to stay ahead of security programs and find new ways to break through organizations’ networks, so it is important that security experts use proactive best practices to prevent incidents. One of the best ways to do this is to understand and evaluate information about your organization’s cyber threats, and then apply that knowledge to ongoing efforts. With the right cyber threats, intelligence is present, you can take every step towards as good cybersecurity as possible.
黑客正在努力保持领先地位的安全程序,并找到突破组织网络的新方法,因此,安全专家使用主动的最佳实践来防止事件发生很重要。 最好的方法之一是了解和评估有关组织的网络威胁的信息,然后将这些知识应用于正在进行的工作中。 有了正确的网络威胁,您就可以拥有智能,您可以朝着尽可能好的网络安全迈出每一步。
Cyber threat information refers to the data that organizations collect and use to better understand past, present, and future threats. The information collected provides context to the operations on an organization’s network and helps identify potential threats and remain protected from future attacks. Organizations need to understand the attacker’s next steps so they can proactively defend their sensitive data and prevent future attacks.
网络威胁信息是指组织为了更好地了解过去,现在和将来的威胁而收集和使用的数据。 收集的信息为组织网络上的操作提供了上下文,并有助于识别潜在威胁并保持免受未来攻击的影响。 组织需要了解攻击者的下一步措施,以便他们可以主动保护其敏感数据并防止将来的攻击。
CTI provides information on malicious actors, their tools, their infrastructure, and their methods for;
CTI提供有关恶意行为者,其工具,其基础结构及其使用方法的信息;
● Identifying types of attacks,
●识别攻击类型,
● Defining, guiding, and prioritizing operational requirements,
●定义,指导和按优先顺序排列操作需求,
● Understanding threat actor capability, tactics, techniques, and procedures,
●了解威胁参与者的能力,策略,技巧和程序,
● Deploying detection systems,
●部署检测系统,
● Developing defense strategies.
●制定防御策略。
Even though more can be added, we can classify the top threats as follow;
即使可以添加更多内容,我们也可以将主要威胁分类如下:
● Malware,
●恶意软件,
● Web-based attacks,
●基于Web的攻击,
● Web application attacks,
●Web应用程序攻击,
● Denial of Service,
●拒绝服务,
● Botnets,
●僵尸网络,
● Phishing,
●网络钓鱼,
● Spam,
●垃圾邮件,
● Ransomware,
●勒索软件,
● Insider threat,
●内部威胁
● Physical manipulation/damage/theft/loss,
●物理操纵/损坏/盗窃/损失,
● Exploit kits,
●漏洞利用工具包,
● Data breaches,
●数据泄露,
● Identity theft,
●身份盗用,
● Information leakage,
●信息泄漏,
● Advanced Persistent Threats (APTs)
●高级持续威胁(APT)
To be able to prevent or minimize the risks against such threats, it is important to understand, analyze and being advanced in five methods of threat detection and response;
为了能够预防或最大程度地减少针对此类威胁的风险,重要的是要了解,分析和改进五种威胁检测和响应方法;
(1) Network and endpoint monitoring that is constant and comprehensive, including capabilities such as full-packet capture and behavior-based threat detection on hosts.
(1)持续且全面的网络和端点监视,包括诸如全包捕获和主机上基于行为的威胁检测之类的功能。
(2) Advanced analytics techniques that can sift through massive amounts of information, such as network traffic, in near-real-time to spot suspicious behaviors and accelerate investigations.
(2)先进的分析技术,可以近乎实时地筛选大量信息(例如网络流量),以发现可疑行为并加快调查速度。
(3) Malware analysis using methods that don’t rely on file signatures and go straight to the actual behavior of executables, whether collected on the network or endpoints, to detect hostile activity.
(3)恶意软件分析使用的方法不依赖文件签名,而是直接检查可执行文件的实际行为(无论是在网络上还是在端点上收集),以检测敌对活动。
(4) Incident detection and response practices that align security personnel, processes, and technologies to streamline and accelerate workflows so security operations teams can spend less time on routine tasks and more time defending high-priority assets and address the riskiest threats.
(4)事件检测和响应实践使安全人员,流程和技术保持一致,以简化和加速工作流,因此安全运营团队可以将更少的时间用于日常任务,而将更多的时间用于防御高优先级的资产并应对风险最高的威胁。
(5) Open-source intelligence (OSINT) is collecting information from the public, open tools, or resources to be used in an intelligence context. Data flow for OSINT can be categorized into 6 classifications. Media (newspapers, magazines, radio, television, etc.), Internet (such as blogs, dark-web, websites, YouTube, Twitter, Facebook, etc.), Public Government Data (public government reports, speeches, conferences, etc.), Professional and Academic Publications (journal, academic papers, dissertation, theses, etc.), Commercial Data (commercial imagery, financial and industrial assessments, etc.), Grey Literature (technical reports, preprints, patents, business documents, etc.).
(5)开源情报(OSINT)正在从公共,开放工具或情报环境中使用的资源中收集信息。 OSINT的数据流可以分为6类。 媒体(报纸,杂志,广播,电视等),互联网(例如博客,暗网,网站,YouTube,Twitter,Facebook等),公共政府数据(公共政府报告,演讲,会议等)。 ),专业和学术出版物(期刊,学术论文,论文,论文等),商业数据(商业图像,财务和工业评估等),灰色文献(技术报告,预印本,专利,商业文件等)。 )。
A. 网络攻击的方法论 (A. The Methodology of Cyber Attacks)
Figure 1 depicts 7 phases of a cyber-attack aka Lockheed Martin’s “Cyber Kill Chain”. These attack steps were also presented in NIST SP 800–115.
图1描绘了网络攻击(也称为洛克希德·马丁公司)的“网络杀伤链”的七个阶段。 NIST SP 800–115中也介绍了这些攻击步骤。
By following cyber kill chain steps, an adversary can;
通过遵循网络杀伤链步骤,对手可以;
(1) identify and select a target(s) (Phase 1 — Reconnaissance),
(1)识别并选择目标(第1阶段-侦察),
(2) packages an exploit into a payload designed to execute on the targeted computer/network (Phase 2 — Weaponize),
(2)将漏洞利用打包到旨在在目标计算机/网络上执行的有效负载中(第2阶段-武器化),
(3) delivers the payload to the target system(s) (Phase 3 — Deliver),
(3)将有效负载传送到目标系统(阶段3-传送),
(4) executes the code on the target system(s) (Phase 4 — Exploit),
(4)在目标系统上执行代码(阶段4-利用),
(5) installs remote access software that provides a persistent presence within the targeted environment or system (Phase 5 — Install),
(5)安装远程访问软件,以在目标环境或系统中提供持久存在(阶段5-安装),
(6) employs remote access mechanisms to establish a command and control channel with the compromised device (Phase 6 — Command and Control),
(6)采用远程访问机制与受感染设备建立命令和控制通道(阶段6-命令和控制),
(7) pursues intended objectives (e.g., data exfiltration, lateral movement to other targets) (Phase 7 — Act on Objectives).
(7)追求既定目标(例如,数据泄露,向其他目标的横向移动)(第7阶段-目标行动)。
Perceiving that a progression of preliminary steps and activities will go before a malicious attack, intelligence efforts can be sent to recognize;
认为在恶意攻击之前将进行一些初步步骤和活动,因此可以将情报工作发送出去进行识别;
● who may be targeting a network?
●谁可能针对网络?
● what are the intentions and capabilities of the malicious actors?
●恶意行为者的意图和能力是什么?
● when they will conduct their activity?
●他们什么时候进行活动?
● where the activity will originate?
●活动起源于何处?
● how they plan to penetrate or affect the network?
●他们计划如何渗透或影响网络?
B. 网络威胁情报的特征 (B. Characteristics of Cyber Threat Intelligence)
By perceiving and drawing in the enemy amid the reconnaissance, weaponization, and conveyance periods of the cyber-attack lifecycle, can give a chance to time to take the necessary course of action to protect the network and prevent the attacks. This also allows for creating an effective response and recovery strategies. To be more effective in threat intelligence, the following characteristic should be adapted;
通过在网络攻击生命周期的侦察,武器化和传输阶段中感知并吸引敌人,可以有时间采取必要的行动来保护网络并防止攻击。 这也允许创建有效的响应和恢复策略。 为了在威胁情报方面更有效,应采用以下特征:
● Timely: For effective threat intelligence time plays a critical role. Intelligence ought to be quickly conveyed with insignificant idleness.
● 及时:对于有效的威胁情报而言,时间至关重要。 应当以微不足道的闲散Swift传达情报。
● Relevant: Threat intelligence needs to apply to the related environment.
● 相关:威胁情报需要应用于相关环境。
● Accurate: To be able to take more reasonable and effective measurements against attacks more accurate intelligence is necessary. Therefore, the information which is provided by threat intelligence should be correct, complete, and explicit.
● 准确:为了能够对攻击进行更合理,更有效的测量,需要更准确的情报。 因此,威胁情报提供的信息应正确,完整和明确。
● Specific: More detailed and more specific threat intelligence can allow defenders to choose suitable countermeasures.
● 特定:更详细,更具体的威胁情报可以使防御者选择合适的对策。
● Actionable: Actions are needed to be identified by threat intelligence to ensure necessary data for the response against threats.
● 可采取行动:威胁情报需要识别行动,以确保必要的数据来应对威胁。
One other recommended intelligence model is named as the Diamond Model of Intrusion Analysis. The model verbalizes and investigates the four key purposes of any occasion: adversary, infrastructure, capability, and victim. Understanding these four purposes of the model, finding the data identified with each, and understanding wherein the attacker’s kill chain the occasion happened fundamentally adds to understanding an attacker and in like manner delivering threat intelligence.
另一种推荐的情报模型被称为“入侵分析的钻石模型”。 该模型表达并调查了任何场合的四个关键目的:对手,基础设施,能力和受害者。 理解模型的这四个目的,找到每个目标所识别的数据以及了解攻击者从根本上在其中的杀手链从根本上增加了对攻击者的了解,并且以类似的方式提供了威胁情报。
The Cyber Kill Chain and the Diamond Model help to distinguish intrusions and look past the possibility of a solitary intrusion and toward identification and understanding of attacker techniques. Both of these nourish into the Active Cyber Defense Cycle as shown in figure 2.
“网络杀人链”和“钻石模型”有助于区分入侵,并超越了单独入侵的可能性,并有助于识别和理解攻击者的技术。 两者都滋养到“主动网络防御周期”中,如图2所示。
C. 网络威胁狩猎 (C. Cyber Threat Hunting)
Cyber threat hunting is the procedure of proactively and iteratively seeking through networks to detect and isolate propelled threats that avoid existing security arrangements. Hunting is an iterative procedure, which means it must be consistently done in a loop, starting with a hypothesis. There are three types of hypotheses;
网络威胁搜寻是主动和迭代地搜索网络以检测和隔离可避免现有安全措施的威胁的过程。 狩猎是一个迭代过程,这意味着它必须从假设开始,一直在循环中始终如一地完成。 假设有三种:
● Analytics-Driven: “Machine-learning and UEBA (Unlike rule-based systems), used to develop aggregated risk scores that can also serve as hunting hypotheses”.
●分析驱动:“机器学习和UEBA(不同于基于规则的系统),用于制定汇总的风险评分,也可以用作狩猎假设”。
● Situational-Awareness Driven: “Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends”.
●情景意识驱动:“皇冠珠宝分析,企业风险评估,公司或员工级趋势”。
● Intelligence-Driven: “Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans”.
●情报驱动:“威胁情报报告,威胁情报源,恶意软件分析,漏洞扫描”。
D. 网络威胁级别 (D. Cyber Threat Levels)
Cyber threat and preparedness levels were introduced by the MITRE Corp. Five cyber threat levels were proposed and each of which corresponds to a general strategy of cyber defense as it is shown in table 1.
MITRE公司介绍了网络威胁和防范级别。提出了五个网络威胁级别,每个级别对应于一般的网络防御策略,如表1所示。
● Threat-Level-1: Cyber Vandalism, which corresponds to Perimeter Defense
●威胁等级1:网络破坏,与外围防御相对应
● Threat-Level-2: Cyber Theft/Crime, which corresponds to a defense approach of Critical Information Protection
●威胁级别2:网络盗窃/犯罪,对应于关键信息保护的防御方法
● Threat-Level-3: Cyber Incursion/Surveillance, which corresponds to a defense approach of Responsive Awareness
●威胁级别3:网络入侵/监视,它对应于防御意识的防御方法
● Threat-Level-4: Cyber Sabotage/Espionage, which corresponds to a defense approach of Architectural Resilience
●威胁级别4:网络破坏/间谍活动,它对应于架构弹性的防御方法
● Threat-Level-5: Cyber Conflict/Warfare, which corresponds to a defense approach of Pervasive Agility.
●威胁级别5:网络冲突/战争,与普遍敏捷的防御方法相对应。
E. 网络威胁管理 (E. Cyber Threat Management)
Cyber Threat Management (CTM) is much more than just risk assessment. It emerges best practices for managing cyber threats. CTM includes:
网络威胁管理(CTM)不仅仅是风险评估。 它是管理网络威胁的最佳实践。 CTM包括:
● Manual and automated intelligence gathering and threat analytics.
●手动和自动情报收集和威胁分析。
● A comprehensive methodology for real-time monitoring including advanced techniques such as behavioral modeling.
●全面的实时监控方法,包括行为建模等高级技术。
● Use of advanced analytics to optimize intelligence, generate security intelligence, and provide Situational Awareness.
●使用高级分析来优化情报,生成安全情报并提供态势感知。
● Technology and skilled people leveraging situational awareness to enable rapid decisions and automated or manual actions.
●技术人员和技术人员利用态势感知来做出快速决策和自动或手动操作。
The cyber threat management framework (as shown in figure 3) has different stages such as Observation, Orientation, Decision, Action which can help early detection of threats and limit damage actions.
网络威胁管理框架(如图3所示)具有不同的阶段,例如观察,定向,决策和行动,可以帮助及早发现威胁并限制破坏行为。
Automated security systems can use threat information to protect networks and systems by tracking threat vectors such as network traffic, network activity, and network connectivity. Once a specific threat vector is identified and added to the data feed, it becomes much easier for firewalls and SIEM Security Information and Event Management) applications to identify and block it. That is why it is essential to combine cyber-threat intelligence tools with up-to-date threat information feeds that provide data on emerging and existing threats.
自动化安全系统可以使用威胁信息通过跟踪威胁向量(例如网络流量,网络活动和网络连接)来保护网络和系统。 一旦确定了特定威胁向量并将其添加到数据源中,防火墙和SIEM安全信息和事件管理应用程序就可以更轻松地识别和阻止它。 因此,必须将网络威胁情报工具与最新的威胁信息源相结合,以提供有关新兴威胁和现有威胁的数据。
This information helps security teams to learn about the tactics, techniques, and practices of potential hackers and can be used to improve the security of their systems when working properly. Coupled with a robust security solution, threat information can help reduce vulnerability to cyber-attacks and save your business money by avoiding recovery-related expenses, including money that can be paid as a penalty or as part of legal action. Effective security programs require continuous monitoring and evaluation to ensure that threat information works in conjunction with other security solutions.
此信息可帮助安全团队了解潜在黑客的策略,技术和做法,并可在正常工作时用于提高其系统的安全性。 结合强大的安全解决方案,威胁信息可以避免与恢复相关的费用,包括可以作为罚款或作为法律诉讼的一部分而支付的费用,从而有助于减少网络攻击的脆弱性并节省您的业务费用。 有效的安全计划需要进行连续的监视和评估,以确保威胁信息可以与其他安全解决方案结合使用。
Through this process, raw data becomes a valuable resource for the security team and an important part of the overall security strategy. Once you have put in place these basic measures, it is up to you to keep your security teams up to date with the latest cyber threats and best practices in cybersecurity. Applying the insights gained from this data allows your security team to make faster and more informed security decisions, so you are one step ahead of any cyber threat.
通过此过程,原始数据成为安全团队的宝贵资源,也是整个安全策略的重要组成部分。 一旦采取了这些基本措施,就可以让您的安全团队了解最新的网络威胁和网络安全最佳实践。 利用从这些数据中获得的见解,您的安全团队可以做出更快,更明智的安全决策,因此您比任何网络威胁都领先一步。
Threat information is useful in many ways, the most important being to help security professionals understand the attacker’s thought process by uncovering the motives behind the attack and the behavior of the threat. With the external insights and context that threat intelligence provides, your vulnerability management team can prioritize the more important vulnerabilities more accurately.
威胁信息在许多方面都是有用的,最重要的是通过揭示攻击背后的动机和威胁行为,帮助安全专业人员了解攻击者的思维过程。 借助威胁情报提供的外部见解和上下文,您的漏洞管理团队可以更准确地对较重要的漏洞进行优先级排序。
Cyber threat intelligence provides knowledge to bring unknown threats to light, enabling organizations to make better decisions about their security. Keep stakeholders, executives and users informed about the latest cyber threats and their impact on your organization. Make sure that your security team is kept informed of the enormous volume of cyber threats, including the methods used.
网络威胁情报可提供知识,将未知的威胁暴露出来,使组织能够对其安全性做出更好的决策。 让利益相关者,主管和用户了解最新的网络威胁及其对组织的影响。 确保使您的安全团队随时了解大量的网络威胁,包括所使用的方法。
One of the ways organizations do this is to integrate intelligence feeds on cyber threats into their existing security solutions. This is a collection of information from various sources coming from across the network and gives a sense of potential global threats that can be as simple as suspicious domains and IP addresses associated with suspicious activity.
组织执行此操作的方法之一是将有关网络威胁的情报源集成到其现有安全解决方案中。 这是来自整个网络的各种来源的信息的集合,并给人以潜在的全球威胁的感觉,就像可疑域和与可疑活动相关的IP地址一样简单。
Cited Sources
被引来源
● 2016 Threat Landscape Report, ENISA, 2016.
●2016年威胁态势报告,ENISA,2016年。
● Intelligence-Driven Threat Detection & Response, RSA, 2014.
●基于情报的威胁检测与响应,RSA,2014年。
● J. T. Richelson, “The US Intelligence Community”.
●JT Richelson,“美国情报界”。
● Threat Intelligence: Collecting, Analysing, Evaluating, MWR, CERT-UK, CPNI, 2015.
●威胁情报:收集,分析,评估,MWR,CERT-UK,CPNI,2015年。
● Applying the Threat Intelligence Maturity Model to Your Organization, Eclectic IQ, 2015.
●将威胁情报成熟度模型应用于您的组织,折衷智商,2015年。
● K. R. Choo, “The Cyber Threat Landscape: Challenges and Future Research Directions”, Elsevier, 2011.
●KR Choo,“网络威胁格局:挑战和未来研究方向”,Elsevier,2011年。
● D. Planqué, “Cyber Threat Intelligence — From Confusion to Clarity; An Investigation into Cyber Threat Intelligence”, 2017.
●D.Planqué,“网络威胁情报-从混乱到清晰”; 《网络威胁情报调查》,2017年。
● A. Caglayan, et. al., “Behavioral Analysis of Botnets for Threat Intelligence”, 2012.
●A. Caglayan等。 等,“僵尸网络的威胁情报行为分析”,2012年。
● E. W. Burger, et. al. “Taxonomy Model for Cyber Threat Intelligence Information Exchange Technologies”, 2014.
●EW Burger等。 等 “网络威胁情报信息交换技术的分类模型”,2014年。
● E. M. Hutchins, M. J. Cloppert, R. M. Amin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.”, Lockheed Martin Corporation, 2009.
●EM Hutchins,MJ Cloppert,RM Amin,“通过对敌手战役和入侵杀伤链进行分析,了解智能驱动的计算机网络防御。”,洛克希德·马丁公司,2009年。
● K. Scarfone, M. Souppaya, A. Cody, A. Orebaugh, “Technical Guide to Information Security Testing and Assessment”, SP 800–115, NIST, 2008.
●K. Scarfone,M。Souppaya,A。Cody,A。Orebaugh,“信息安全测试和评估技术指南”,SP 800–115,NIST,2008年。
● Guide to Cyber Threat Information Sharing, SP 800–150, NIST, 2016.
●《网络威胁信息共享指南》,SP 800–150,NIST,2016年。
● T. Mattern, J. Felker, R. Borum, G. Bamford, “Operational Levels of Cyber Intelligence”, International Journal of Intelligence and Counterintelligence, 27: 702–719, 2014.
●T. Mattern,J。Felker,R。Borum,G。Bamford,“网络情报的运营水平”,国际情报与反情报杂志,27:702-719,2014年。
● S. Caltagirone, A. Pendergast, C. Betz, “The Diamond Model of Intrusion Analysis”.
●S. Caltagirone,A。Pendergast,C。Betz,“入侵分析的钻石模型”。
● “The Who, What, Where, When, Why and How of Effective Threat Hunting”, SANS Institute, 2016.
●“谁,什么,什么地方,什么时候,为什么以及如何进行有效的威胁搜寻”,SANS研究所,2016年。
● P. D. Gasper, “Cyber Threat to Critical Infrastructure 2010–2015,” Idaho National Laboratory, 2008.
●PD Gasper,“ 2010-2015年网络对关键基础设施的威胁”,爱达荷州国家实验室,2008年。
● “Cyber Threat Hunting”, Sqrrl, Retrieved from: https://sqrrl.com/solutions/cyber-threat-hunting/, 19.11. 2017.
●“网络威胁搜寻”,网址: https ://sqrrl.com/solutions/cyber-threat-hunting/,19.11。 2017。
● D. Bodeau, R. Graubart, J. F. Greene, “Improving Cyber Security and Mission Assurance via Cyber Preparedness (Cyber Prep) Levels”, The MITRE Corporation, 2009.
●D. Bodeau,R。Graubart,JF Greene,“通过网络准备(网络准备)水平提高网络安全和使命保证”,MITRE公司,2009年。
● T. Mattern, J. Felker, R. Borum, G. Bamford, “Operational Levels of Cyber Intelligence”, International Journal of Intelligence and Counterintelligence, 2014.
●T. Mattern,J。Felker,R。Borum,G。Bamford,“网络情报的运营水平”,国际情报与反情报杂志,2014年。
● “What is Cyber Threat Management?”, Institute of Cyber Threat Management, Retrieved from: https://www.ioctm.org/What-is-Cyber-Threat-Management, 20.11.2017.
●“什么是网络威胁管理?”,网络威胁管理研究所,摘自: https: //www.ioctm.org/What-is-Cyber-Threat-Management,20.11.2017。
翻译自: https://medium.com/swlh/cyber-threat-intelligence-cti-in-a-nutshell-1-71a03916fd92
ivr cti
扫一扫
1271
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
